SOP 1 about Digital Forensic Examination Procedure

One type of evidence that can be found at the scene, both in civil and criminal cases is electronic evidence such as personal computers (PCs), laptops / notebooks, netbooks, tablet PCs, mobile phones, flashdisk, memory cards etc.. Electronic evidence has a significant role in the disclosure of a case due to store digital data that can be used to explain the history and reconstruction of the case. Therefore, the examination of electronic evidence should be based on SOP 6 s / d 15, which refers to the international guidelines issued by the Association of Chief Police Officers (ACPO) and 7Safe in the UK and by the National Institute of Justice under the Department of Justice , the US, so the results are as expected and can be scientifically justified and legal.
In addition to the SOPs, digital forensic examination of the electronic evidence should also be implemented via SOP 2 governing work hours commitments for each examination including its phases in details. This is aimed to run the examination efficiently and effectively so that it can support to speed up efforts of inquiry/further investigation.
In order to obtain an integrated SOPs in the digital forensic examinations globally, it requires SOP 1 which describes procedures for a comprehensive examination of digital forensic starting from activities at the scene until laboratory analysis activities. Through this SOP 1, it is expected that digital forensic examiners and investigators are able to understand that the function of digital forensics can be started from the initial examination at the scene until further investigation which is more complex in the laboratory. Due to the initial handling of the evidence involves digital forensics function, then the procedural validity of the evidence and the integrity of the chain of custody (trip chain of evidence from the crime scene to the trial) can be justified scientifically. In addition, the speed to get the initial data for inquiry / investigation can be met because the implementation of SOP 1 in the initial examination of electronic evidence at crime scene can be done correctly.

2. Purpose

For the orderly administration and technical in handling electronic evidence in a comprehensive manner starting from the crime scene to the laboratory in order to support inquiry / investigation quickly and correctly.

It refers to ‘Good Practice Guide for Computer-Based Electronic Evidenc’ which is published by Association of Chief Police Officers (ACPO). They are:
6.1.1. Principle 1: No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court.
6.1.2. Principle 2: In circumstances where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
6.1.3. Principle 3: An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
6.1.4. Principle 4: The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.

6.2. Triage Forensic

6.2.1. Examination procedure when the evidence is in OFF state
The phases below are comprehensively explained in details on SOP 6 about Triage Forensic:
- Checking
- Power off
- Labeling
- Documentation
- Submitting to the lab

6.2.2. Examination procedure when the evidence is in ON state
The phases below are comprehensively explained in details on SOP 6 about Triage Forensic, except for live acquisition:
- Checking
- Initial Data Extraction
- Live Acquisition, referring to SOP 7
- Power off
- Labeling
- Documentation
- Submitting to the lab

6.3. Further examination in the lab

6.3.1. Examination and Analysis on Harddisk, Flashdisk and Memory Card
The phases below are comprehensively explained in details on each of its SOP, while for the prediction of the length of time required for each stage described in SOP 2.
- Receiving evidence: SOP 4
- Acquisition: SOP 8
- Analysis: SOP 9
- Reporting: SOP 3
- Submitting evidence: SOP 5

6.3.2. Examination and Analysis on Handphone and Simcard
The phases below are comprehensively explained in details on each of its SOP, while for the prediction of the length of time required for each stage described in SOP 2.
- Receiving evidence: SOP 4
- Acquisition: SOP 10
- Analysis: SOP 11
- Reporting: SOP 3
- Submitting evidence: SOP 5

6 comments:

Hello, This is a really good and helpful reference for SOP in digital forensics. Especially for me, as I just have started to be involved in real working environment of digital forensics. Anyways, is there by any chance you have a complete documentation (published or unpublished) for the SOPs, as you mentioned on previous entry, that I can learn and adopt from? or perhaps I should keep stay tune on your blog? It would be really helpful for a newbie like me.Thanks.Cheers, -Steph

About Me

I have been working for Indonesian Police Forensic Laboratory Centre (Puslabfor Bareskrim Polri) since 1997. My current job is the Chief of Computer Forensic Sub-Department. I have core duties to handle digital forensic investigation and analysis on electronic and digital evidence. I am the pioneer of developing computer forensic capabilities at Puslabfor Bareskrim Polri which was started in around 2000. Last year, in 2012 I and my team successfully investigated and analyzed 488 items of evidence which came from 81 cases of computer crime and computer-related crime.
In 2012 I wrote a book with the title "Digital Forensic: Practical Guidelines for Forensic Investigation". Its contents is mostly from knowledge and science I got from joining the MSc in Forensic Informatics at the University of Strathclyde, in the UK in 2008/2009 through the Chevening Scholarships. In 2010, the British Council in Indonesia gave me a prestigious award as one of "The Super Six UK Alumni".